Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Burp Suiteの便利な機能でバグバウンティ / Burp Suite's useful ...
Search
no1zy
March 11, 2019
1.7k
5
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Burp Suiteの便利な機能でバグバウンティ / Burp Suite's useful function
Burp Suite Japan LT Carnivalでの発表資料
no1zy
March 11, 2019
More Decks by no1zy
See All by no1zy
バグバウンティ入門してみた /Getting started with Bug Bounty
no1zy
14
4.9k
Featured
See All Featured
Self-Hosted WebAssembly Runtime for Runtime-Neutral Checkpoint/Restore in Edge–Cloud Continuum
chikuwait
0
650
How to build an LLM SEO readiness audit: a practical framework
nmsamuel
1
800
Agile Leadership in an Agile Organization
kimpetersen
PRO
0
190
Taking LLMs out of the black box: A practical guide to human-in-the-loop distillation
inesmontani
PRO
3
2.3k
The Invisible Side of Design
smashingmag
301
52k
The browser strikes back
jonoalderson
0
1.4k
Why Mistakes Are the Best Teachers: Turning Failure into a Pathway for Growth
auna
0
180
YesSQL, Process and Tooling at Scale
rocio
174
15k
Amusing Abliteration
ianozsvald
1
220
Effective software design: The role of men in debugging patriarchy in IT @ Voxxed Days AMS
baasie
0
450
Primal Persuasion: How to Engage the Brain for Learning That Lasts
tmiket
0
390
jQuery: Nuts, Bolts and Bling
dougneiner
66
8.5k
Transcript
Burp SuiteͷศརͳػೳͰ όάόϯςΟ No1zy
ࣗݾհ • twitter: @no1zy_sec • ใܥઐֶੜ • ৽ถόάϋϯλʔ • ڈͷ֫ಘใۚ૯ֹ
612ສԁ
όάϋϯλʔBurp Suite͕େ͖ The 2019 Hacker Report
Կ͕ศརʁ • Web Penetrationʹඞཁͳػೳ͕ॆ࣮͍ͯ͠Δ • Pro൛Ͱར༻Ͱ͖Δػೳ͕ڧྗ
հ͢Δศརػೳ 1. Burp Collaborator client 2. Find Script 3. Analyze
target શͯPro൛ͷΈͰར༻Ͱ͖Δ
1. Burp Collaborator client
Burp Collaborator client • ֎෦ͷͪड͚αʔόʔͱͯ͠ͷׂΛ࣋ͭ ػೳ • Out-of-boundͳ௨৴͕ൃੜ͢Δ߈ܸΛൃݟ͢ Δͱ͖ʹ༗ޮ •
DNS, HTTP/HTTPS, STMP/SMTPSʹରԠ
͍ํ 1. Burp > Burp Collaborator clientΛΫϦοΫ
͍ํ 2. Copy to clipboardΛΫϦοΫ
͍ํ $ curl http://fn6i69eh10k070ymmdjzeicppgv6jv.burpcollaborator.net ଓςετ
͍ํ • ϦΫΤετΛ֬ೝ͢Δ
SSRFͷςετྫ GitLabͷϦϙδτϦΠϯϙʔτػೳ
SSRFͷςετྫ ίϯςϯπΛऔಘ͢ΔΑ͏ͳϦΫΤετ͕ ൃੜ͢ΔػೳɺSSRF͕Մೳͳ߹͕͋Δ
http://127.0.0.1:22 SSRF Payload
SSRFͷςετྫ Ϩεϙϯε
http://127.0.0.1:4444 SSRF Payload
SSRFͷςετྫ Ϩεϙϯε
ΤϥʔϝοηʔδͷࠩҟΛ ར༻ͯ͠ϙʔτεΩϟϯ͕Մೳ
None
2. Find Script
Find Script • JavaScriptϑΝΠϧΛऩू͢ΔతͰ༻͢Δ • APIΤϯυϙΠϯτͷൃݟɺAPIΩʔͳͲͷػ ີใɺ੬ऑੑʹͳΓಘΔίʔυͷൃݟͳͲ ʹཱͯΔ͜ͱ͕Ͱ͖Δ
͍ํ 1. Engagement tools > Find scriptsΛΫϦοΫ ͏s
͍ํ • JavaScriptϑΝΠϧ͕Ϧετ͞ΕΔ
͍ํ • Export scriptsͰϑΝΠϧʹநग़Ͱ͖Δ
APIΤϯυϙΠϯτͷಛఆ 1. JavaScriptίʔυ͕ଘࡏ͢ΔURLΛऩू 2. JSParserͳͲͷπʔϧΛ༻͍ͯAPIΤϯυϙ ΠϯτΛಛఆ͢Δ
JSParser
1. JavaScriptίʔυ͕ଘࡏ͢ΔURLΛऩू 1. Find ScriptͰURLΛϦετ͢Δ 2. Copy selected URLsΛΫϦοΫ
HistoryͷϑΟϧλϦϯάػೳͰ༻Մೳ 1. Proxy > History > ϑΟϧλʔઃఆΛ։͘ 2. Show only
ʹνΣοΫ͠ js ͱೖྗ
HistoryͷϑΟϧλϦϯάػೳͰ༻Մೳ 3. ΞΠςϜΛશબ͢Δ
HistoryͷϑΟϧλϦϯάػೳͰ༻Մೳ 4. Copy URLsΛΫϦοΫ
2. APIΤϯυϙΠϯτΛಛఆ͢Δ 1. ίϐʔͨ͠URLΛషΓ͚ 2. JSParseΛΫϦοΫ
৽ͨͳϦιʔεΛಛఆ͢Δ͜ͱͰ੬ऑੑΛൃݟ Ͱ͖Δ֬Λ্͛Δ 2. APIΤϯυϙΠϯτΛಛఆ͢Δ
3. Analyze target
Analyze target • Ͳͷύϥϝʔλ͕Կճ༻͞Ε͍ͯΔ͔Ѳ Ͱ͖Δ • ੬ऑੑͷԣల։ύϥϝʔλϕʔεͰ੬ऑੑ Λ୳͍ͨ࣌͠ʹ༗ޮͳ߹͕͋Δ
͍ํ 1. Engagement tools > Analyze target ΛΫϦοΫ
͍ํ ղੳ݁ՌΛ֬ೝ͢Δ
Happy Hunting!